Secure Networks It’s not just for your office Dial-In Number: Meeting Number:

Network - Defined A computer attached to another computer o Can be used to share files o Can be used to share resources such as printers or network attached devices such as storage appliance o Most commonly used to share an internet connection Dial-In Number: Meeting Number:

Why would I care about my home network’s security? Anywhere client information exists or can be accessed from is a risk o Client information exists in your o You probably check your from home o You connect a device you use to work with client data to your home network o Your cell phone has your and you connect to wireless at your house with your phone o Your cell phone connects to wireless at your home and your office Dial-In Number: Meeting Number:

Terminology Internet – Global network of computers Modem – Device that gets you connected to the internet Router – Device that translates between outside (internet) and inside (LAN) networks Switch or Hub – Connects wired network devices together Wireless – 2.4Ghz, 5Ghz, etc. data radio transmissions most commonly used to network computer devices Computer – Any device that runs a program Firewall – A security device used to limit the access from one network section to another, a security software used to limit access to another device or that devices access Dial-In Number: Meeting Number:

What is a network anyway? Wired and Wireless Hybrid With Switch Wireless Devices Router/Firewall(lite) Switch Wall Plate Computer Internet Dial-In Number: Meeting Number:

Wired and Wireless Hybrid Wireless Devices Router/Firewall(lite) Computer Internet Dial-In Number: Meeting Number:

All Wireless Wireless Devices Router/Firewall(lite) Computer Internet Dial-In Number: Meeting Number:

US-Cert Security Tip (ST15-002) Why secure your home router? Home routers are directly accessible from the Internet, are easily discoverable, are usually continuously powered-on, and are frequently vulnerable because of their default configuration. These characteristics offer an intruder the perfect target to obtain a user’s personal or business data. The wireless features incorporated into many of these devices add another vulnerable target. The 11 tips and content are directly from US-Cert Security Tip ST The goal of this webinar is to explain them in more detail and answer any questions that arise from covering them. The full article can be found at and is highly recommended. This product is provided subject to this Notification and this Privacy & Use policy from the US-Cert and is coded TLP White and can be shared without restriction.NotificationPrivacy & Use Dial-In Number: Meeting Number:

Change the default username and password o These default usernames and passwords are readily available in different publications and are well known to attackers; therefore, they should be immediately changed during the initial router installation. It’s best to use a strong password, consisting of letters, numbers, and special characters totaling at least 14 characters. Manufacturers set default usernames and passwords for these devices at the factory for their troubleshooting convenience. Furthermore, change passwords every 30 to 90 days. See Choosing and Protecting Passwords for more information on creating a strong router password. Dial-In Number: Meeting Number:

Change the default SSID o A service set identifier (SSID) is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a WLAN must use the same SSID to communicate with each other. Manufacturers set a default SSID at the factory, and this SSID typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit any of its known vulnerabilities. Users sometimes set the SSID to a name that reveals their organization, their location, or their own name. This information makes it easier for the attacker to identify the specific business or home network based upon an SSID that explicitly displays the organization’s name, organization’s location, or an individual’s own name. For example, an SSID that broadcasts a company name is a more attractive target then an SSID broadcasting “ABC123.” Using default or well-known SSIDs also makes brute force attacks against WPA2 keys easier. When choosing an SSID, make the SSID unique and not tied to your personal or business identity. Dial-In Number: Meeting Number:

Don’t stay logged in to the management website for your router o Routers usually provide a website for users to configure and manage the router. Do not stay logged into this website, as a defense against cross-site request forgery (CSRF) attacks. In this context, a CSRF attack would transmit unauthorized commands from an attacker to the router’s management website. Disable UPnP when not needed o Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. Though the UPnP feature eases initial network configuration, it is also a security hazard. For example, malware within your network could use UPnP to open a hole in your router firewall to let intruders in. Therefore, disable UPnP unless you have a specific need for it. Dial-In Number: Meeting Number:

Configure Wi-Fi Protected Access 2 (WPA2)- Advanced Encryption Standard (AES) for data confidentiality o Some home routers still use Wired Equivalent Privacy (WEP), which is not recommended. In fact, if your router or device supports only WEP, but not other encryption standards, you should upgrade your network device.[1] One newer standard, WPA2-AES, encrypts the communication between the wireless router and the wireless computing device, providing stronger authentication and authorization between the devices. WPA2 incorporates the Advanced Encryption Standard (AES) 128-bit encryption that is encouraged by the National Institute of Standards and Technology (NIST). WPA2 with AES is the most secure router configuration for home use. Immediately disable WPS o Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure moderately secure wireless networks. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8-digit PIN is correct. The lack of a proper lockout policy after a certain number of failed attempts to guess the PIN on many wireless routers makes a brute-force attack much more likely to occur. Dial-In Number: Meeting Number:

Limit WLAN signal emissions o WLAN signals frequently broadcast beyond the perimeters of your home or organization. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, it’s important to consider antenna placement, antenna type, and transmission power levels. Local area networks (LANs) are inherently more secure than WLANs because they are protected by the physical structure in which they reside. Limit the broadcast coverage area when securing your WLAN. A centrally located, omnidirectional antenna is the most common type used. If possible, use a directional antenna to restrict WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will also allow you to better control WLAN coverage. Note that a sensitive antenna may pick up signals from further away than expected, a motivated attacker may still be able to reach an access point that has limited coverage. Turn the network off when not in use o While it may be impractical to turn the devices off and on frequently, consider this approach during travel or extended offline periods. The ultimate in wireless security measures—shutting down the network—will definitely prevent outside attackers from being able to exploit your WLAN. Dial-In Number: Meeting Number:

Upgrade firmware o Just like software on your computers, the router firmware (the software that operates it) must have current updates and patches. Many of the updates address security vulnerabilities that could affect the network. When considering a router, check the manufacturer’s website to see if the website provides updates to address security vulnerabilities. Disable remote management o Disable this to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface. Monitor for unknown device connections o Use your router’s management website to determine if any unauthorized devices have joined or attempted to join your network. If an unknown device is identified, a firewall or media access control (MAC) filtering rule can be applied on the router. For further information on how to apply these rules, see the literature provided by the manufacturer or the manufacturer’s website. Dial-In Number: Meeting Number:

Questions? Yes, no, true or false, and multiple choice questions are preferred.